Intrusion detection system with GA

712 views

Published on

Published in: Education, Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
712
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Intrusion detection system with GA

  1. 1. Intrusion Detection System<br />B95901153 薛仲翔<br />B96901038 郭建言<br />
  2. 2. Outline<br />The Development of IDS<br />The Architecher and Strategies of IDS<br />IDSwith GA<br />The Implementation of IDS with Some Other Popular Methods<br />
  3. 3. Outline<br />The Development of IDS<br />The Architecher and Strategies of IDS<br />IDSwith GA<br />The Implementation of IDS with Some Other Popular Methods<br />
  4. 4. Security Audit<br />Generate, record, review, and then sort the system events for some security purposes.<br />System monitoring<br />Avoid misusing<br />Event reconstructing<br />Accountability<br />Damage assessing and recovering<br />
  5. 5. The Development of IDS<br />In 1950s, a document of requirements of Electronic Data Processing (EDP) audit was defined.<br />In 1970s, audit processing was subsumed into "Trusted Computer System Evaluation Criteria“.<br />
  6. 6. The Development of IDS (cont.)<br />Audit reduction<br />Distinguish risks and threats.<br />Statistic analysis<br />Masquerade attack<br />Intrusion detection systems after 1980s<br />Discovery, Haystack, MIDAS, NADIR, NSM, etc.<br />Commercial product<br />
  7. 7. Outline<br />The Development of IDS<br />The Architecher and Strategies of IDS<br />IDSwith GA<br />The Implementation of IDS with Some Other Popular Methods<br />
  8. 8. Architecture<br />Functional device<br />information source<br />analysis engine<br />response component<br />Separated audit and audited system<br />Intruder may shut down the IDS.<br />Audit records may be altered or deleted.<br />Reduce the loading of IDS<br />
  9. 9. Strategies<br />Information source, or event generator <br />Host-based<br />Network-based<br />Application-based<br />Target-based<br />
  10. 10. Strategies (cont.)<br />Analysis<br />Misuse<br />Anomaly<br />Response<br />Accountability<br />Log<br />Alarm the administrator<br />Adjust IDS or the intruded system<br />Notify routers and/or firewalls<br />
  11. 11. Outline<br />The Development of IDS<br />The Architecher and Strategies of IDS<br />IDSwith GA<br />The Implementation of IDS with Some Other Popular Methods<br />
  12. 12. Genetic Algorithm(GA)<br />0<br />1<br />1<br />0<br />1<br />0<br />0<br />1<br />1<br />0<br />1<br />0<br />0<br />1<br />1<br />0<br />0<br />0<br />1<br />0<br />0<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />1<br />0<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />0<br />0<br />1<br />1<br />0<br />1<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />0<br />0<br />1<br />1<br />1<br />0<br />0<br />1<br />1<br />1<br />1<br />0<br />1<br />0<br />1<br />1<br />1<br />1<br />0<br />1<br />1<br />0<br />0<br />1<br />0<br />1<br />0<br />1<br />0<br />1<br />0<br />1<br />0<br />Selection<br />Evaluation<br />Selection<br />Initialization<br />Crossover<br />Mutation<br />0<br />1<br />1<br />1<br />0<br />1<br />Until termination<br />Replacement<br />Crossover<br />Higher fitness<br />1<br />1<br />0<br />0<br />1<br />0<br />Simple GA flow<br />Prof. TianLi Yu<br />1<br />1<br />1<br />0<br />1<br />0<br />Mutation<br />Lower fitness<br />0<br />0<br />1<br />0<br />1<br />1<br />GA is a kind of global mountain climbing algorithm<br />
  13. 13. Why Genetic Algorithm(GA)?<br />Misused detection is not treated well.(Because it needs continous updating)<br />System based on GA can be easily re-trained.<br />The space of potential solution is truely huge.<br />Due to the parallelism that allows them to implicitly evaluate many schemas at once.<br />
  14. 14. System Implementation(Developed by Bancovic et al.)<br />Rule-Based IDS: <br />If-then rules are trained to recognize normal connections.<br />‧MultiExpressionProgramming(MEP)isappliedtoconstructtherules.<br />‧Very low false-positive rate<br />Linear classifier: <br />Classifies connections into normal ones and potential attacks. <br />‧Low false-negative rate<br />‧high false-positive rate<br />->its decision has to be re-checked. <br />
  15. 15. System Implementation<br />Linear classifier: <br />Population = 1000 ;Generation = 300 <br />The features used to Describe the Attack:<br />gene[1]*duration + gene[2]*src_bytes + gene[3]*dst_host_srv_serr_rate < gene[4]<br />FitnessFunction:<br /># squared percentage <br /> achieves better performance<br />
  16. 16. System Implementation<br />Rule-Based IDS: <br />FitnessFunction :F-Measure<br />If-then rules are trained to recognize normal connections.<br />‧MultiExpressionProgramming(MEP)isappliedtoconstructtherules.<br />‧Very low false-positive rate<br />Service<br />Hot<br />Logged<br />Threshold<br />SampleRule used to identifyNormal Connections:<br />-----------------------------------------------------------------<br />If(service==“http”andhot==“0”andlogged_in==“0”)<br /> Thennormal<br />A rule<br />
  17. 17. Results<br />The experimental results of whole system<br />Trained by 250000 of 491021 data from “KDD_10_percent”<br />Retrained by the remaining data from KDD_10_percent<br />
  18. 18. Discussion<br />‧Advantage:<br /> Perform the training process and the process of detecting intrusions faster while maintaining high detection rate.<br />#Because only six feature are defined to train.<br />‧Drawback:<br />The distribution of the attacks and normal connection in the datasets is not very <br />realistic [7], i.e. only 20% of the training data set makes normal connections while in real world the situation is quite opposite, as the percentage of normal packets highly exceeds the percentage of intrusive ones.<br />
  19. 19. Outline<br />The Development of IDS<br />The Architecher and Strategies of IDS<br />IDSwith GA<br />The Implementation of IDS with Some Other Popular Methods<br />
  20. 20. The Implementation of IDS with Some Popular Methods<br />
  21. 21. Reference<br />GASSATA, A Genetic Algorithm as an Alternative Tool for Security Audit Trails Analysis, Ludovic Me,2000<br />A Genetic Algorithm-based Solution for Intrusion Detection , ZoranaBanković et al,2009<br />駭客入侵偵測專業手冊,旗標出版社,Rebecca Gurley Bace著,賴冠州編譯,2001<br />

×